Lazarus group, a prominent Advanced Persistent Threat (APT) group from the Democratic People’s Republic of Korea (DPRK) has been observed to be recently installing backdoors into the systems of financial institutions in Latin America. Trend Micro researchers noticed that the backdoor called “Msadoz.dll” had been successfully installed into the machines of financial institutions around September 19, 2018. This backdoor had two additional components that were installed alongside the backdoor. The “AuditCred.dll/ROptimizer.dll” is a loader Dynamic Link Library (DLL) that is launched as a service which triggers the installation of the backdoor. The “Auditcred.dll.mui/rOptimizer.dll.mui” configuration file is loaded after the main backdoor is installed onto the machine which extracts the Command and Control (C2) server information and connects to it. This backdoor poses a significant threat to the victim as it is capable of a wide variety of things such as: collect files/folder/drive information, delete files, download files and additional malware, inject code from files to other running processes, launch/terminate/enumerate process, open reverse shell, update configuration data, utilise as a proxy. The backdoor is also able to run in passive mode, meaning that instead of actively connecting to the C2 server, the backdoor will open and listen to a port then receive commands through it.

Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts. Members of the financial services industry should be aware they are specifically targeted by malware and APT groups due to the nature of their business. Never open files from unverified sources, and be aware of other infections vectors such as email attachments and infected websites.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.